Closed Bug 430814 Opened 17 years ago Closed 17 years ago

Crash [@ nsStyleContext::GetStyleDisplay] while trying to print

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

Details

(Keywords: crash, testcase, verified1.8.1.15, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

testcase
300 bytes, application/xhtml+xml
Details
wallpaper
1.59 KB, patch
bernd_mozilla
: review+
roc
: superreview+
dveditz
: approval1.8.1.15+
mconnor
: approval1.9+
Details | Diff | Splinter Review
See testcase, when clicking on the print button and then printing something, current trunk builds of Mozilla crash. http://crash-stats.mozilla.com/report/index/8f00214c-12df-11dd-92b9-001cc4e2bf68?p=1 0 xul.dll nsIFrame::GetStyleDisplay nsStyleStructList.h:95 1 xul.dll nsCSSRendering::PaintBackgroundWithSC mozilla/layout/base/nsCSSRendering.cpp:3448 2 xul.dll TableBackgroundPainter::PaintCell mozilla/layout/tables/nsTablePainter.cpp:634 3 xul.dll TableBackgroundPainter::PaintRow mozilla/layout/tables/nsTablePainter.cpp:590 4 xul.dll TableBackgroundPainter::PaintRowGroup mozilla/layout/tables/nsTablePainter.cpp:530 5 xul.dll TableBackgroundPainter::PaintTable mozilla/layout/tables/nsTablePainter.cpp:446 6 xul.dll nsTableFrame::PaintTableBorderBackground mozilla/layout/tables/nsTableFrame.cpp:1469 7 xul.dll nsDisplayTableBorderBackground::Paint mozilla/layout/tables/nsTableFrame.cpp:1318 8 xul.dll nsDisplayList::Paint mozilla/layout/base/nsDisplayList.cpp:296 9 xul.dll nsLayoutUtils::PaintFrame mozilla/layout/base/nsLayoutUtils.cpp:988 10 xul.dll nsPageFrame::PaintPageContent mozilla/layout/generic/nsPageFrame.cpp:562 11 xul.dll PaintPageContent mozilla/layout/generic/nsPageFrame.cpp:403 12 xul.dll nsDisplayGeneric::Paint mozilla/layout/base/nsDisplayList.h:862 13 xul.dll nsDisplayList::Paint mozilla/layout/base/nsDisplayList.cpp:296 14 xul.dll nsLayoutUtils::PaintFrame mozilla/layout/base/nsLayoutUtils.cpp:988 15 xul.dll nsSimplePageSequenceFrame::PrintNextPage mozilla/layout/generic/nsSimplePageSequence.cpp:647 16 xul.dll nsPrintEngine::PrintPage mozilla/layout/printing/nsPrintEngine.cpp:2368 17 xul.dll nsPagePrintTimer::Notify mozilla/layout/printing/nsPagePrintTimer.cpp:90 18 xul.dll nsTimerImpl::Fire mozilla/xpcom/threads/nsTimerImpl.cpp:403 19 xul.dll nsTimerEvent::Run mozilla/xpcom/threads/nsTimerImpl.cpp:490 20 xul.dll nsThread::ProcessNextEvent mozilla/xpcom/threads/nsThread.cpp:510 21 xul.dll nsBaseAppShell::Run mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:170 22 nspr4.dll PR_GetEnv 23 firefox.exe wmain mozilla/toolkit/xre/nsWindowsWMain.cpp:87 24 firefox.exe firefox.exe@0x217f 25 kernel32.dll BaseProcessStart
Attached file testcase
OS: Windows XP → All
Whiteboard: [sg:critical?]
Attached patch wallpaperSplinter Review
Wallpaper, until we find the real bug... This file already have this wallpaper in another place: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/tables/nsTablePainter.cpp&rev=3.25&root=/cvsroot&mark=413-415#408
Attachment #317773 - Flags: review?(bernd_mozilla)
Group: security
Comment on attachment 317773 [details] [diff] [review] wallpaper The cited url was not wallpapering over a bug but rather defensive programming. I had a good share of crash bugs (one of them being a top crasher) after fantasai's paint patch landed, so the idea was to have a rather drastic assertion message that will ring all bells instead of having a exploitable array boundary violation. I will do the core fix and then check if ff2 is also vulnerable.
Attachment #317773 - Flags: review?(bernd_mozilla) → review+
Attachment #317773 - Flags: superreview?(roc)
Attachment #317773 - Flags: superreview?(roc) → superreview+
Attachment #317773 - Flags: approval1.9?
Comment on attachment 317773 [details] [diff] [review] wallpaper a=mconnor on behalf of 1.9 drivers
Attachment #317773 - Flags: approval1.9? → approval1.9+
mozilla/layout/tables/nsTablePainter.cpp 3.26 Filed bug 431087 on fixing the real bug. -> FIXED
Assignee: nobody → mats.palmgren
Target Milestone: --- → mozilla1.9
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment on attachment 317773 [details] [diff] [review] wallpaper The testcase does not crash 2.0.0.14 on XP/Linux/OSX, but the code looks the same on branch. The patch is trivial so it might be worth taking just in case...
Attachment #317773 - Flags: approval1.8.1.15?
Flags: in-testsuite?
> he patch is trivial so it might be worth taking just in case... Exactly this should go onto branch, there is no need for gambling there.
Comment on attachment 317773 [details] [diff] [review] wallpaper approved for 1.8.1.15, a=dveditz for release-drivers
Attachment #317773 - Flags: approval1.8.1.15? → approval1.8.1.15+
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008042806 Minefield/3.0pre. No crash with the testcase.
Status: RESOLVED → VERIFIED
Checked in on MOZILLA_1_8_BRANCH: mozilla/layout/tables/nsTablePainter.cpp 3.13.6.1
Keywords: fixed1.8.1.15
Mats can we change the assert to something less draconian? Like a warning for a "nsTablePainter error" I will know what it means. This bug should stay closed till bug 424377 is fixed.
Verified that the code got checked in. Also verified no crash in 2.0.0.14 and 2.0.0.15 (as said before).
Keywords: fixed1.8.1.15verified1.8.1.15
Group: security
Crash Signature: [@ nsStyleContext::GetStyleDisplay]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: